Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PKCS11 3.0 #183

Draft
wants to merge 21 commits into
base: master
Choose a base branch
from
Draft

Support PKCS11 3.0 #183

wants to merge 21 commits into from

Conversation

qpernil
Copy link
Contributor

@qpernil qpernil commented Jun 18, 2021
edited

PKCS11 3.0 support, and also added ed25519 support, mechanisms for which were added in pkcs11 3.0

@qpernil qpernil force-pushed the pkcs11-3_0 branch 2 times, most recently from d1227c1 to 432dddc Compare June 18, 2021 11:06
@qpernil qpernil marked this pull request as ready for review June 22, 2021 09:20
@qpernil qpernil requested a review from aveenismail June 22, 2021 09:20
@qpernil qpernil self-assigned this Jun 22, 2021
@qpernil qpernil force-pushed the pkcs11-3_0 branch 3 times, most recently from b749973 to 78b71b8 Compare September 20, 2021 08:23
@qpernil qpernil force-pushed the pkcs11-3_0 branch 2 times, most recently from 11c58d9 to 913b3d9 Compare October 8, 2021 12:58
@qpernil qpernil marked this pull request as draft October 12, 2021 18:13
@qpernil
Copy link
Contributor Author

qpernil commented Jul 5, 2022

Adresses #270

@qpernil qpernil force-pushed the pkcs11-3_0 branch 6 times, most recently from 6f7b239 to 2b25889 Compare August 23, 2022 11:17
@qpernil qpernil marked this pull request as ready for review October 7, 2022 17:41
@qpernil qpernil mentioned this pull request Feb 22, 2023
Closed
@qpernil qpernil marked this pull request as draft September 25, 2023 15:18
github-advanced-security[bot]
github-advanced-security bot found potential problems May 16, 2024
View reviewed changes
pkcs11/util_pkcs11.c
Comment on lines +3864 to +3878
switch (m) {
case CKM_EDDSA:
return true;

default:
break;
}

Check notice

Code scanning / CodeQL

No trivial switch statements Note

This switch statement should either handle more cases, or be rewritten as an if statement.
pkcs11/util_pkcs11.c
@@ -4946,6 +5159,214 @@
return CKR_OK;
}

CK_RV parse_ed_generate_template(CK_ATTRIBUTE_PTR pPublicKeyTemplate,

Check warning

Code scanning / CodeQL

Poorly documented large function Warning

Poorly documented function: fewer than 2% comments for a function of 207 lines.
pkcs11/util_pkcs11.c
@@ -1698,7 +1786,7 @@
return CKR_OK;
}

static CK_RV load_public_key(yh_session *session, uint16_t id, EVP_PKEY *key) {
static CK_RV load_public_key(yh_session *session, uint16_t id, EVP_PKEY **key) {

Check warning

Code scanning / CodeQL

Poorly documented large function Warning

Poorly documented function: fewer than 2% comments for a function of 117 lines.
github-advanced-security[bot]
github-advanced-security bot found potential problems May 31, 2024
View reviewed changes
pkcs11/tests/pkcs11_interfaces_test.c
}
char config[256];
assert(strlen(connector_url) + strlen("connector=") < 256);
sprintf(config, "connector=%s", connector_url);

Check failure

Code scanning / CodeQL

Unbounded write Critical

This 'call to sprintf' with input from
an environment variable
may overflow the destination.
qpernil and others added 21 commits June 3, 2024 15:47
@qpernil @aveenismail
Use PKCS11 3.0 headers
311dae1
@qpernil @aveenismail
Added files to be installed
542aa52
@qpernil @aveenismail
Basic PKCS11 3.0 support
bf03494
@qpernil @aveenismail
Make function lists static
8c7d783
@qpernil @aveenismail
Make function lists const
7df7fd7
@qpernil @aveenismail
Refactored C_Login and C_LoginUser
b5ae5f3
@qpernil @aveenismail
Rebase fixes
d9bf622
@qpernil @aveenismail
Rebase changes
09ede45
@qpernil @aveenismail
Support ed25519
11949ee
@qpernil @aveenismail
Fix attributes for ed25519 keys
34526ae
@qpernil @aveenismail
ed25519 keys are considered 255 bits. Refactor getting CKA_EC_POINT s…
078a0ae 
…lightly
@qpernil @aveenismail
pkc11 3.1
6e79dd6
@marcwillert @aveenismail
fix buffer_length check for EdDSA in util_pkcs11.c (#390)
645928a 
Having problems signing with EdDSA on YubiHSM2 via PKCS11.
Getting an 
pkcs11:p11prov_Sign:The size of plaintext input data to a cryptographic operation is invalid (Out of range):interface.gen.c:679:Error returned by C_Sign
error

As I understand the PKCS11 v3.0 spec, the 1024 bit limit (note by "adma" in line 2228) applies only to "ECDSA without hashing" (CKM_ECDSA) as it only processes a hash value.

see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061189

EdDSA does not have this limit, so the size of "op_info->buffer" should be the limiting factor

see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191
@aveenismail
PKCS11: Rebase on current master
ce3834e
@aveenismail
PKCS11: Fix include for older OSs. Githubactions: Fix OpenSSL install…
a8bd9aa 
…ation on MacOS runners
@aveenismail
PKCS11: Compile ED25519 code only when OpenSSL is higher than 1.0. Bu…
abab264 
…ild: Fix Redhat and MacOS builds
@aveenismail
PKCS11: Fix header inclusion in test
c19e753
@aveenismail
PKCS11: Update tests to use PKCS11_3 functionlist. Add test for PKCS1…
77ba6c7 
…1 interfaces
@aveenismail
PKCS11: Remove unnecessary KDF definitions
a676bb4
@aveenismail
PKCS11: Fix PKCS11 interfaces test
49fc533
@aveenismail
PKCS11_3: return CKR_PIN_INCORRECT when logging in with wrong password
ceb6dfa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aveenismail aveenismail Awaiting requested review from aveenismail

Assignees

@qpernil qpernil

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@qpernil @marcwillert @aveenismail